Kubeconfig (kubectl configuration)

A kubeconfig is a YAML file that tells kubectl (and other Kubernetes clients) which cluster to talk to and how to authenticate. By default, kubectl reads:

~/.kube/config

What's inside a kubeconfig

A kubeconfig typically contains:

clusters: API server server: endpoint + the cluster CA (certificate-authority-data or certificate-authority)
users: how to authenticate (commonly a token, client cert/key, or an exec auth plugin)
contexts: a named binding of (cluster + user + optional namespace)
current-context: which context kubectl uses by default

Minimal example shape:

apiVersion: v1
kind: Config
clusters:
- name: my-cluster
  cluster:
    server: https://my-k8s-cluster.example.com
    certificate-authority-data: <base64-ca-cert>
users:
- name: my-user
  user:
    token: <bearer-token>
contexts:
- name: my-context
  context:
    cluster: my-cluster
    user: my-user
current-context: my-context

Common workflows

List contexts and switch clusters

kubectl config get-contexts -o name
kubectl config use-context my-context

Quick sanity check:

kubectl get nodes

Use a specific kubeconfig (without changing your default)

Use-case: CI jobs, one-off access to prod, testing a new config you were given.

Inline for a single command:

kubectl get nodes --kubeconfig "$HOME/.kube/dev_cluster_config"

Via environment variable:

export KUBECONFIG="$HOME/.kube/dev_cluster_config"
kubectl get nodes

Precedence (what wins)

In practice, these commonly override each other in this order:

--kubeconfig ... on the command line
KUBECONFIG=... environment variable
default ~/.kube/config (and its current-context)

Merge multiple kubeconfig files into one

Use-case: you have separate kubeconfigs for dev/test/prod, but want a single ~/.kube/config with multiple contexts.

From ~/.kube (or using full paths), you can merge and flatten:

KUBECONFIG=config:dev_config:test_config kubectl config view --merge --flatten > config.new
mv "$HOME/.kube/config" "$HOME/.kube/config.old"
mv "$HOME/.kube/config.new" "$HOME/.kube/config"

Verify:

kubectl config get-contexts -o name

Minify (show only the active context)

Use-case: quickly inspect exactly what kubectl will use right now.

kubectl config view --minify

Remove a stale context

Use-case: cluster was deleted, but the context still exists locally.

kubectl config get-contexts -o name
kubectl config delete-context my-old-context

Creating a least-privilege kubeconfig (concept)

Common pattern: create a dedicated identity (often a ServiceAccount) with RBAC permissions restricted to what’s needed (namespace-scoped when possible), then generate a kubeconfig that authenticates as that identity.

Typical building blocks:

ServiceAccount in a namespace
Role/ClusterRole granting specific verbs/resources
RoleBinding/ClusterRoleBinding binding the ServiceAccount to the role
A token for the ServiceAccount (Kubernetes v1.24+ commonly uses an explicit token Secret or projected tokens)

Once you have the cluster endpoint, CA data, and token, you can assemble a kubeconfig like the minimal example above.

Security best practices

Kubeconfigs often contain tokens and/or client keys. Treat them like credentials.

Lock down permissions:

chmod 600 "$HOME/.kube/config"
chmod 700 "$HOME/.kube"

Avoid accidental commits:

Keep kubeconfigs out of Git repos
Add patterns to ignore files named like kubeconfig* (either per-repo .gitignore or your global gitignore)

Sources

Kubeconfig File Explained (Examples, Usage and Configuration) (DevOpsCube)

What's inside a kubeconfig​

Common workflows​

List contexts and switch clusters​

Use a specific kubeconfig (without changing your default)​

Precedence (what wins)​

Merge multiple kubeconfig files into one​

Minify (show only the active context)​

Remove a stale context​

Creating a least-privilege kubeconfig (concept)​

Security best practices​

Sources​